[wp-hackers] WP Plugins --> was::RE: [wp-forums] questionable...

Dave W dabbaking at gmail.com
Sat Aug 5 13:49:10 GMT 2006

Before deactivation of a plugin on an upgrade, it should check if the plugin
has user defined options with it and store them before activation. So,
if/when the user decides to reactivate the plugin, their settings aren't

On 8/5/06, Christopher J. Hradil <chradil at comcast.net> wrote:
> As I stated, based on all of the negative buzz in the past few weeks over
> security issues I probably 'read' more into the question than might have
> been there. As far as the issue itself, the OP stated:
> /snip
> I've been using phpBB for ages and I've been using other (shock, horror)
> blog software and what I deeply like about both is there repository of
> Plugins that have been validated by the core team thus I have someone to
> trust on a Plugins validity.
> /snip
> Personally, I've been involved with the phpBB project since 2001 with
> varying degrees of activity based on what else I've had going on, that
> project has had more than it's share of controversy, the *community* can
> be
> abrasive at times and is definitely not very open-minded or forward
> thinking
> in terms of planning and decision making. Jim Finn (one of the founders of
> the project) is surely a bright and talented young individual with lots on
> his plate, and does a pretty good job of keeping things running smoothly
> (ironically his personal site is proudly powered of course by
> wordpress...),
> but many of the key developers on the project seem to like the
> "dictatorship" model of operation, and often resist ideas and
> contributions
> from the community which don't match up with their personal opinions. One
> of
> the things I've worked hard on there with a small group of other
> individuals
> is the idea of pushing phpBB in the direction of standards compliance and
> a
> bit more 'modular' of a plugin architecture. Unfortunately neither of
> these
> concepts are very well received by many of the decision makers (although
> we've never really pushed the issues hard with Jim personally which I know
> would probably lead to an eventual change in the phpBB paradigm). These
> two
> particular issues are a constant FAQ and often controversial topic as new
> users adopt the platform, with questions like why can't I.... a)
> permalinks/friendly Uri's b)xhtml/css compliance c)the last upgrade ruined
> my site and DB because all of my modules had made so many edits to the
> core
> files... etc.
> It's a given, that phpBB is a completely different animal than WP, but
> architecture wise, there is much to be learned from how others have done
> things and the mistakes they've made. With regards to the plugin topic
> specifically, the current WP architecture as a theory is what I would
> consider a 'best of breed' solution, even though at the moment there may
> be
> some specific issues with regards to it's implementation. As I stated in
> my
> forum post, products like phpBB which allow (or often require) that a
> module
> or plugin 'edit' (albeit transparently to most users) core system files
> (and
> the DB architecture) in order to 'just work', are in my opinion a way less
> than desirable situation. Unfortunately many users don't fully understand
> a)
> that this happens at all, b) what's really happening when they install a
> mod
> or plugin, or c) it's potential effect later on.
> The disadvantages (which are clearly demonstratable via things like the
> phpBB support forums) are as follows:
> 1)Upgrades to the core are risky and difficult after a plugin/mod has been
> installed, the upgrade scripts simply can't account for all of the changes
> made by the mods/plugins, this often leads to completely 'broken' sites
> which need to be re-installed from the ground up.
> 2) A failed mod/plugin install has no rollback mechanism requirement, so
> users are left with partially edited/broken core system files and often no
> clue as to how/where to attempt to fix things.
> 3) Even though it may appear that something like phpBB plugins are
> *blessed*
> via the phpbb.com site's mod repository, there are no [enforced]
> requirements for a plugin to adhere to any particular set of standards,
> most
> emphasize how critical an issue this is, sure, go to your phpBB admin
> interface and 'uninstall' a mod, then go look at all of the code changes
> to
> core system files and the database that the plugin made when it was
> installed which were not 'removed' after you've uninstalled it.
> there are a couple of others, but those are the big points.
> by contrast, wordpress is really clean in terms of the plugin
> architecture.
> this leads me to the point of this dissertation. the existing methodology
> and design of the plugin portion of WP is extremely elegant and powerful -
> both from a technical AND a marketing perspective. Continuing along the
> current path and improving on it is without doubt a worthy cause. It's a
> tremendous selling point for the WP platform moving forward to emphasize
> the
> flexibility, power and secure nature of the basic plugin architecture.
> When
> a new user makes a forum post stating something like "I installed x plugin
> and now my site doesn't work..." the ability to point them to the codex or
> simply state - "just delete the plugin file or directory", then like magic
> everything works again is really impressive. The fact WP plugins don't
> need
> to interfere with the core system is a HUGE advantage over other
> platforms.
> Upgrades are normally a breeze, personally I've upgraded 20+ installs so
> far
> (most from 2.0.2 directly to 2.0.4) and had not a single issue or problem
> with one of them (fingers crossed, since I left the 3 biggest sites for
> last). From my view, improvements to the current system are as follows:
> (grouped in two categories - WP Core Dev changes, and Plugin Author
> requirements)
> 1)Develop a core function to 'check' a plugin prior to install/activation
> to
> ensure that the plugin cleans up after itself (mostly in the area of any
> DB
> changes they might make, since we don't have to worry about plugins
> editing
> core files). If it doesn't have a "compliant" 'remove_me' function
> disallow
> activation. This places the responsibility for these types of issues with
> the plugin authors rather than WP system devs. Ditto for autoupdate,
> version
> check, and a wp-security check (to be sure things like current_user_can
> are
> implemented).
> 2)I know that computerguru has done some work in the past week or so on
> the
> 'autoupdate' system, so that's handled.
> 3) slight re-vamp to requirements for a 'public' release of a plugin via
> either the codex repo or wp-plugins.net, require plugins to have it's own
> directory called plugin_name, and includes all plugin files, plus an
> install.txt and readme.txt with at least a minimalist amount of
> documentation on use and installation.
> 4)a 'deactivate_all_plugins' function for use during WP core
> uptates/upgrades.  this could either be a plugin itself or part of core -
> (I
> wrote a perl script to do this for me directly against the DB for my own
> purposes since I had to upgrade a bunch of sites)
> 5) a *warning* notification so that if someone is about to install or
> activate a plugin that will function but doesn't comply with the
> 'standard'
> at least they're aware that they're about to use something that's
> *unsupported*
> 6) an updated set of requirements and guidelines for plugin authors which
> explains how to structure and 'release' a 'supported' plugin (whether it
> be
> via the actual wp repository or their own site).
> /**************************************
> Christopher J. Hradil
> chradil at comcast.net
> http://www.hradil.us
> 973-809-4606
> **************************************/
> > -----Original Message-----
> > From: wp-forums-bounces at lists.automattic.com
> > [mailto:wp-forums-bounces at lists.automattic.com] On Behalf Of Michael B
> > Sent: Friday, August 04, 2006 12:09 PM
> > To: wp-forums at lists.automattic.com
> > Subject: Re: [wp-forums] questionable...
> >
> > Truth is, IMO, that's a valid question from a new user.  I
> > believe I recently saw a post on the hackers list about this,
> > as well as have there been several threads about shout boxes
> > and spam, which in some ways overlaps the question.
> >
> > I'm going to post that indeed most plugins are caveat emptor,
> > however if they search the forums for top 10 lists, they can
> > assume that if enough users recommend certain plugins, that
> > they can assume the plugin has been vetted.
> >
> > ~miklb
> > I'm also going to remove the resolved as I'd prefer the user
> > mark it resolved in this case.
> >
> > Thanks Christopher for all your time in the forums, and on
> > these lists.
> >
> >
> >
> > On 8/3/06, Christopher J. Hradil <chradil at comcast.net> wrote:
> > >
> > > http://wordpress.org/support/topic/82005
> > >
> > > when I spotted that one he was an 8 minute old member, it may be
> > > benign (in which case I'm just paranoid based on last weeks
> > > plugins/security debates), so I've posted an appropriate
> > reply, tagged
> > > it modlook and resolved. It just seemed to me like someone
> > trying to
> > > 'stir the pot'..
> > >
> > > /**************************************
> > > Christopher J. Hradil
> > > chradil at comcast.net
> > > http://www.hradil.us
> > > **************************************/
> > >
> > >
> > > _______________________________________________
> > > wp-forums mailing list
> > > wp-forums at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-forums
> > >
> > _______________________________________________
> > wp-forums mailing list
> > wp-forums at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-forums
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Dave W

More information about the wp-hackers mailing list